How Hostfully is preventing potential fraud by innovating its onboarding process
At Booking.com, our teams work around the clock to identify and block fraudsters from creating fake properties. Recently, our security systems – that use a combination of AI/machine learning and real-time monitoring to detect suspicious activity or irregular behaviour – flagged some suspicious activity connected to accounts originating from the same Property Management Platform (PMP). At the same time, Hostfully, a vacation rental PMP, noticed similar suspicious activity.
We spoke with Eric Andersen, Senior Director of Customer Support at Hostfully, to find out the steps they took after being alerted to the suspicious activity and accounts by Booking.com to prevent the risk of future fraudulent activity.
What are some of the details you look for when you’ve detected suspicious activity on your platform?
We received an email from Booking.com alerting us to the accounts. As part of the opening process, they had been flagged by their security systems as being potentially fake. Around this time, we had noticed unusual user behaviour for those same accounts.
To start with, we noted that a few new clients weren’t responding to our meeting invitations for onboarding. This is unusual. While some of our clients are extremely tech savvy and use our how-to articles to set everything up themselves, they usually still respond to our emails. So the behaviour was suspicious from the outset, but didn’t warrant taking drastic measures like shutting down their access to the Hostfully PMP. Rather, we created an internal red flag to monitor these accounts.
It turns out monitoring those accounts was the right call. Most of our clients have us help them with the import to Booking.com, but we noticed those suspicious clients’ did not engage with any of our sales reps and started to use our channel manager integration on their own without any help. This was very suspicious.
This is where getting to know your clients is worth its weight in gold. Our onboarding specialist reached out to our sales team to get some background information on those clients. It turns out, none of them had met even one of our sales reps. They all signed up for the Hostfully PMP directly from the website. That’s very unusual (but not impossible). Most large-scale property managers shop around and have sales reps from different providers show them a demo to see if the solution is the right fit for their business. Not only were these clients not responding to our emails, but no one knew who they were.
As soon as the suspicious activity was flagged on Booking.com, they deactivated the listings within the hour. We compared notes and shortly after validating the accounts were in fact fraudulent, we shut down the PMP accounts on Hostfully.
“We employ a wide array of people, tools and processes to protect our customers and the businesses on our platform. In this case, these measures helped us to take immediate actions and remove new fraudulent listings within an hour of them attempting to list.” – Pascal Mafait, Senior Manager of Partner Fraud and Abuse at Booking.com.
What actions did you take to reduce the risk of this happening again?
We had to act fast and make sure the solution we were going to implement would resolve the issue permanently. We couldn’t allow fraud to originate from our software.
Working with various teams at Booking.com, we looked at our internal processes. The commonality in these fake account cases was that the fraudsters had ignored the onboarding process. Our engineering team thought of an easy way to fix this. Instead of allowing all new clients access to the full suite of tools at sign-up, why not make the onboarding process a requirement for each new account? Not only would it prevent future fraud, but it would also ensure that we get to meet each client.
In under two days, our engineering team implemented the solution. Now, new clients get a pop-up in the user interface. If a client tries to activate a listing site, the user interface asks them to contact onboarding first. On the back end, this required a modification to our client database and the addition of an access toggle to our onboarding specialist’s dashboard.
Since we’ve implemented this system, we haven’t experienced any new attempts to list fake properties in this way.
How has this solution been perceived by your properties?
We haven’t received any pushback from existing customers since they have already gone through the process of registering. As for new customers, we haven’t seen any pushback either. They appreciate the help our onboarding specialists provide and generally look forward to the process.
What were your main learnings from this experience?
Knowing our customer was key to identifying this problem and implementing a reasonable and proportionate solution. It turns out that this isn’t just good customer satisfaction best practice – it also helps identify potentially fraudulent accounts.
Every software provider always has security at the top of their minds, but we generally think of blocking threats from the outside. In a way, this was an “insider threat” situation. A bad actor had access to part of our system that could potentially facilitate fraud. What this case shows us is that people are creative and find exploits. It not only made us rethink our customer journey process, but also encouraged us to take an even closer look at how we manage privacy, handle and store information, and probe our system internally and externally for potential exploits.
Have you planned any next steps or follow-up activities?
We’re keen on sharing this case study with all our software partners and implementing best practices immediately. Since this happened, we’ve already boosted security and started to rethink what accesses and privileges are necessary for our customers.
What one piece of advice would you share with other providers?
At the end of the day, knowing your customer and understanding how they interact with your software – from onboarding to everyday use – is key to preventing mishaps.
Discover our best practice checklist to ensure your platform is as safe and secure as possible. If you notice suspicious activity or suspect a threat, you can report it via support.connect.booking.com.
- Earlier this year, Booking.com identified some suspicious activity connected to a handful of new accounts originating on the Hostfully platform
- After alerting Hostfully to the activity and listings, Booking.com swifty deactivated the listings on its platform and Hostfully shut down the PMP accounts
- After brainstorming solutions with Booking.com, Hostfully came up with a new onboarding process that helps reduce the risk of future fraudulent activity